[prev in list] [next in list] [prev in thread] [next in thread]
List: netfilter
Subject: Re: Re: Can I only allow those normal TCP 3-handshake packets through
From: u9067580 () cis ! nctu ! edu ! tw
Date: 2004-04-30 2:53:19
Message-ID: 4091C1E8.3020401 () cis ! nctu ! edu ! tw
[Download RAW message or body]
On Wednesday 28 April 2004 15:50, David Cannings Wrote:
> On Wednesday 28 April 2004 13:45, u9067580@cis.nctu.edu.tw wrote:
>> I use a test tool to verify my iptables firewall, but unfortunately it
>> doesn't pass. The test tool doesn't follow the normal TCP 3-handshake
>> Syn->SynAck->Ack, it goes as below.
>> 1. A:25205 ---SYN---> B:80
>> 2. A:25205 <---SYN--- B:80
>> (ie. 25205 and 80 are port numbers)
>> My test report tells me that it can successfully send a reply (2nd)
>> packet, which only has SYN flag, through my firewall. I found the tcp
>> tracking state is SYN_RECV from the /proc/net/ip_conntrack after the
>> 2nd packet is pass. As my understood, the SYN_RECV only happens when
>> the "Syn+Ack" packet is pass, doesn't it?
>
> No. If a packet with the SYN and ACK packets is received in response
to a
> packet with only SYN sent, you send an ACK (the third part of the three
> way handshake) and enter the ESTABLISHED state. The "normal" three way
> handshake does not enter the SYN_RECEIVED state on the client side.
>
> What you are seeing is perfectly valid, receiving a packet with only SYN
> set in response to the first step of the three way handshake enters
> SYN_RECEIVED and is called a "simultaneous open". Using Google Image
> Search for "tcp state diagram" will bring up a multitude of diagrams
> which show this.
>
Yes, "simultaneous open".
The test suite is 'CDRouter', and it verifies the piggyback TCP SYN
connections from WAN. Have you ever heard this kind of attack? I
consider the test suite can't simply accuse my firewall of allowing this
attack, however this behavior is acceptable.
>> Besides, can I only allow those normal TCP 3-handshake packets through
>> my firewall?
>
> Just using conntrack as normal and denying any NEW packets to ports that
> shouldn't have daemons listening on them probably will not stop these
> packets. Denying these packets using the --syn flag, for ports that
> should not have daemons on, should work. I have not tested it but I
> believe this would stop the situation you describe. If you do test this,
> please post your results so I and others know whether it works or not.
> Note that what you are seeing is an acceptable situation however, you
may
> not wish to block it.
>
I believe it can work, too. But, it's hard to specify those open ports
to me. I would like to modify the 'state' match or create a new match
for Syn->SynAck->Ack.
Thanks,
/Jason
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic